Regardless of what industry you’re in, you collect and store data—lots of it. Depending on what kind of data you’re collecting and who you’re collecting it from, there are a myriad of policies, standards, and best practices to keep straight to ensure you’re protecting sensitive data and remaining compliant with all the laws and standards that govern your industry and location.
What is data compliance?
So, what exactly is data compliance? Simply put it’s an overarching term that covers the need to adhere to laws, regulations, standards, and policies related to the collection, storage, use, and sharing of data. These laws cover data security, data breaches, and data protection. Failing to comply with compliance standards can result in fines and penalties, as well as potentially damaging your company’s reputation. Let’s dive into some basic best practices of data storage best practices!
Legal ramifications aside, securing all sensitive information and personal data is good business. Let’s take it step by step.
Step 1: Conduct a data inventory to understand exactly what kind of data you collect, where it is, who can access it, and how it’s used.
Step 2: Identify the potential risks associated with the data discovered from your data inventory and the applicable laws and standards that apply to your data.
Step 3: Implement appropriate security measures to protect that data from unauthorized access, use, disclosure, alteration, or destruction including encryption, access controls, and regular security audits.
Step 4: Create and implement an incident response and data breach notification plan.
Step 5: Train your employees on all data compliance policies.
Step 6: Regularly audit your data security and compliance procedures and update them as laws and standards change.
It’s also a great idea to appoint a data protection officer (DPO) specifically tasked with overseeing your data compliance policies and procedures and monitoring all applicable laws and standards that may apply to your data.
It may seem simple, but Step 2 can be a challenge! There are numerous laws and standards that govern different types of data. In the United States, this includes:
The Health Insurance Portability and Accountability Act (HIPAA)—regulates the privacy and security of protected health information (PHI)
The Children's Online Privacy Protection Act (COPPA)—regulates the collection of personal information from minors under the age of 13
The Family Educational Rights and Privacy Act (FERPA)—regulates the collection and sharing of educational records
The Fair Credit Reporting Act (FCRA)—regulates the collection, use, and sharing of consumer credit information.
The Gramm-Leach-Bliley Act (GLBA)—regulates the collection, use, and sharing of financial information
The California Consumer Privacy Act (CCPA)—regulates the collection, use, and sharing of personal information of California residents (even if your business is not located in California)
The General Data Protection Regulation (GDPR)—regulates the protection of personal data collected from European Union (EU) citizens (even if your business is not located in the EU)
The Federal Information Security Modernization Act (FISMA)—regulates the security of government information and systems.
In addition to laws governing data, there are also a number of industry standards many companies must follow.
SOC 2 & 3—standards for reporting on the security, availability, processing integrity, confidentiality, and privacy of a service organization's system
ISO 27001—international standard for information security management to manage sensitive company information
The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)—a certifiable framework recognized by the U.S. Department of Health and Human Services to adhere to HIPAA regulations governing ePHI
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)—a voluntary framework that provides guidelines for managing cybersecurity risk
PCI-DSS—standards to ensure the security data for all companies that accept, process, store, or transmit credit card information
Overwhelmed yet? That’s unsurprising. Chances are that the data you collect and store for your business falls under one or more of these regulations. So, what’s next?
Your best bet is to seek the help of a professional who is well-versed in all applicable data compliance laws and certified in the standards that apply to your data starting with Step 1. Rubrik can help you with your data audit and reduce your risk by discovering what types of sensitive data live in your systems, where it lives, and who has access to it. With vast expertise in healthcare, the financial services sector, and many other industries, Rubrik can assist your organization every step of the way. Rubrik Security Cloud implements Zero-Trust Data Security that protects your data and your company and helps ensure you’re maintaining the highest standards of data compliance and security.